New York to tighten data breach disclosure norms; US moves to secure energy grid from cyber-attacks

News by Bradley Barth and Teri Robinson

A new Act introduced in New York makes it mandatory for companies to disclose a data-breach incident even if an unauthorised person merely accesses the information

USA has wrapped up last month with two significant legal moves to tackle cyber-crime.

The New York State Legislature has passed 
The Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which is intended to strengthen the state’s data security laws by more explicitly defining when and how businesses must notify the public and attorney general of a data breach incident.

The new act coincides with the US Senate approving the Securing Energy Infrastructure Act, which aims at securing the energy grid through collaboration with private industry by removing vulnerabilities that hackers could exploit.

"Our connectivity is a strength that, if left unprotected, can be exploited as a weakness," according to a release from senator Angus King, who introduced the bill along with senator Jim Risch. "This bill takes vital steps to improve our defenses, so the energy grid that powers our lives is not open to devastating attacks launched from across the globe."

If the bill becomes law, it would create a two-year pilot programme at the National Laboratories, USA, to explore new classes of vulnerabilities as well as study and test analog devices and other technology entities could use to isolate critical systems from cyberattacks.

It would also mandate a working group made up of representatives from federal government agencies, the energy industry, a state or regional energy agency, the National Laboratories and other groups to assess technology solutions offered by the National Laboratories and come up with a plan to isolate the grid from attacks.

The legislation seeks to define covered entities "as segments of the energy sector that have already been designated as entities where a cyber-security incident could result in catastrophic regional or national effects on public health or safety, economic security, or national security," the release said.

Meanwhile, the proposed legislation in  New York, introduced by state senator Kevin Thomas and assembly member Michael DenDekker, now sits on the desk of governor Andrew Cuomo, awaiting his signature.

Under current law, businesses in the US financial capital must disclose a breach only when it is reasonably believed that an unauthorised person acquires certain personal and private information. But SHIELD would lower the threshold so that the reasonable belief that someone merely accessed the information is enough to require a notification.

"This distinction could be especially significant in the ransomware context in which private information may not be stolen, but nonetheless may be accessed in a way that would now constitute a data breach and may trigger notification obligations," explained Joseph Moreno, a partner in Cadwalader, Wickersham & Taft LLP’s White Collar Defense and Investigations Group, in an analysis posted by Mondaq.

Moreover, the new law would vastly expand the pool of companies that must follow these notification regulations. Current law applies only to parties conducting business in New York, but under SHIELD, any entity that deals in private info of New York residents must comply.

SHIELD also would add biometric information, as well as email addresses in combination with corresponding passwords or knowledge-based answers, to the list of private data that would require notification, if accessed alongside users’ personal information.

The legislation, which was passed on 17 June, also states that "any person of business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information…"

Examples of technical safeguards include solutions that allow individuals or organisations to assess risk in network design, software and data management, and detect, prevent and respond to attacks. Examples of physical safeguards include secure processes for information storage and disposal; intrusion detection, prevention and response; and data disposal.

SHIELD also specifies that small businesses will be held to data security standards that are reasonable based on their size and complexity, the nature of their activities, and the sensitivity of the data they collect.

"Consumers deserve the peace of mind that their private information is secure," said attorney general Letitia James in a recent press release. "This bill is an important step forward providing greater protection for consumer’s private information and holding companies accountable for securing that data."

"It is critical that our laws keep pace with the rapidly changing world of technology," said state senator Thomas in the same release. "I am proud to announce the passage of the SHIELD Act… as it will allow for increased accountability and diligence in regards to consumer privacy. Now more than ever, it is important that businesses protect the private information of the consumers they serve."

"This bill will ensure that businesses across the state dutifully guard consumer data and will enable the attorney general’s Office to take the appropriate measures quickly and effectively in case of a breach," added assembly member DenDekker in the release. "With the passing of the SHIELD Act, consumers’ private information will be more secure than ever."

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews